CVE-2026-42929: MacGregor VDR G4e Auth Bypass Vulnerability

CVE-2026-42929 Overview

CVE-2026-42929 affects the Danelec MacGregor Interschalt VDR G4e Voyage Data Recorder. The device ships with default accounts that contain hard-coded credentials [CWE-798]. An adjacent network attacker can authenticate to these accounts without prior knowledge of system-specific secrets. Successful authentication grants access to maritime voyage data and recorder configuration.

The weakness exists in firmware on the affected hardware platform. Voyage Data Recorders capture navigation, audio, radar, and engineering data on ships, making integrity of stored records critical for incident investigation. CISA published advisory ICSA-26-148-01 to track this issue. The vulnerability carries a CVSS v4.0 base score of 8.7 and affects confidentiality and integrity of recorded data.

Critical Impact

Adjacent network attackers can authenticate using built-in credentials to access and modify voyage data recordings on affected MacGregor Interschalt VDR G4e devices.

Affected Products

• MacGregor Interschalt VDR G4e Firmware (all versions)
• MacGregor Interschalt VDR G4e hardware appliance
• Danelec-distributed maritime Voyage Data Recorder deployments using the Interschalt G4e platform

Discovery Timeline

• 2026-05-29 - CVE-2026-42929 published to NVD
• 2026-06-04 - Last updated in NVD database

Technical Details for CVE-2026-42929

Vulnerability Analysis

The Interschalt VDR G4e firmware contains default accounts whose passwords are embedded in the shipped image. These credentials cannot be removed through normal user configuration because they are bound to the firmware build. Any operator with logical reach to the device on the same ship network segment can authenticate as a privileged user.

Voyage Data Recorders are required equipment under SOLAS regulations and store navigation, audio, and engineering telemetry. Unauthorized access to such a system allows an attacker to read voyage data, tamper with recorded evidence, or disrupt recorder availability. The Common Weakness Enumeration entry [CWE-798] describes this exact class of failure: use of hard-coded credentials for inbound authentication.

Exploitation requires adjacent network access, meaning the attacker must be present on the local maritime network. No user interaction or prior privilege is needed. The CVSS vector reports high confidentiality and integrity impact with low availability impact.

Root Cause

The firmware ships with factory accounts whose passwords are static across deployed units. Because the credentials live in the firmware itself, operators cannot rotate or disable them through normal administrative workflows. Devices remain authenticable by anyone who knows or recovers the credential.

Attack Vector

An attacker connected to the bridge network, crew LAN, or an exposed shipboard segment that reaches the VDR can issue authentication requests directly to the device. Once authenticated, the attacker reads or alters voyage data, modifies device configuration, and abuses the position to pivot to adjacent maritime control systems.

No public exploit code or proof-of-concept is published for CVE-2026-42929. The vulnerability mechanism is described in the CISA ICS Advisory ICSA-26-148-01 and the corresponding GitHub CSAF JSON file.

Detection Methods for CVE-2026-42929

Indicators of Compromise

• Authentication events on the VDR originating from hosts that are not part of the documented maintenance workstation inventory.
• Configuration changes or firmware operations on the VDR outside scheduled service windows.
• Unexpected data export, file downloads, or session activity targeting the VDR management interface.

Detection Strategies

• Baseline the normal set of clients that communicate with the VDR and alert on any new source address establishing a session.
• Monitor maritime network segments for connections to VDR management ports from crew, guest, or VSAT-reachable subnets.
• Inspect VDR audit logs for logins using default account names and correlate with crew presence and maintenance tickets.

Monitoring Recommendations

• Forward VDR syslog and authentication logs to a central log store with tamper-resistant retention.
• Deploy passive network monitoring on the bridge LAN to record flows to and from the VDR for forensic review.
• Review the CISA ICS Advisory for vendor-supplied indicators and update detection content as new IOCs are published.

How to Mitigate CVE-2026-42929

Immediate Actions Required

• Contact Danelec via the Danelec contact page to obtain remediation guidance and any available firmware update for the Interschalt VDR G4e.
• Isolate the VDR on a dedicated network segment that only authorized maintenance hosts can reach.
• Inventory every shipboard deployment of the Interschalt VDR G4e and confirm physical and logical access paths to each unit.
• Review VDR audit logs for unauthorized authentications prior to applying mitigations.

Patch Information

No public patch reference is listed in the NVD record for CVE-2026-42929 at the time of publication. Operators should follow the remediation guidance in CISA ICS Advisory ICSA-26-148-01 and coordinate directly with Danelec for firmware updates or compensating controls applicable to their fleet.

Workarounds

• Restrict network reachability to the VDR using shipboard firewall rules and VLAN segmentation so only documented engineering workstations can connect.
• Disable or block any wireless or remote access path that exposes the VDR management interface to crew or external networks.
• Apply physical access controls to the VDR enclosure and management ports to reduce adjacent-network exposure.
• Audit VDR accounts after any vendor update and confirm that default credentials no longer permit authentication.

# Example: restrict access to the VDR management interface to a single maintenance host
# Replace 10.10.0.10 with the authorized maintenance workstation
# Replace 10.20.0.5 with the VDR management address
iptables -A FORWARD -s 10.10.0.10 -d 10.20.0.5 -j ACCEPT
iptables -A FORWARD -d 10.20.0.5 -j DROP